TCP 32764 Backdoor
Jan. 24, 2014
AKA Rooting Routers for Fun
Firstly, I apologize, this is a little dated, but I think it is extremely interesting and worth sharing about. Unlike most other security related articles that just document an attack and tell the story in the past tense -this is an active, vulnerable, exploitiable backdoor.
About a month ago, a backdoor was discovered on a Linksys WAG200G router. There is a process that listens in on port 32764, and it allows free access to many hosts on the internet. No patches are available, as this is an older router that is out of maintainence. The backdoor doesn’t have any kind of authentication and allows some very dangerous commands, like giving access to a remote root shell, dump wifi, PPPoE creditials, and file copy! It’s unclear as to what caused this backdoor, only that the program is in thefirmware itself. This vulerability is interesting because it’s currently active and people are just figuring out how to systematically attack it.
Discovered this great free VPN service called spotflux – it is so easy to use. On public networks, every website you visit can be tracked – VPN tunnels your traffic to spotflux servers. Though – the price you pay is having ads getting injected into unsecured html (http).
For example, there is a black rectangle. For me, it looks like this (with adblock enabled):
Image compression using a discrete Fourier transform in matlab. We can compress a lot and still have excellent picture. I.e. drop ratio of 70% and still good quality.
Same images, different compression
Hacking Android APK Tutorial
Tutorial on hacking an Android APK file, which is an android app file, we decompile, hack it, and recompile. I will go through the setup and basic commands.
Introduction to APK format
Apps in Android have an extension of .apk format – which is basically a special .zip container that is signed with a certificate. The signer could be somebody like Google Apps Store. The idea is that modifying the .apk file means the signature is invalidated, to prevent installation of modified apps.
The main line of defence from installing malicious APK files is to make sure they are downloaded from the Google Apps Store. But once the APK (app) is in the users’ hands, it is unprotected. Most premium apps can be rooted, so ripping apps is easy.
Came across a resort with this lame login page prompting the user to purchase access.
Ended up purchasing access. Hell, I don’t have my iodine server setup or anything. Will have to remember to do that before going out to resorts with lame $30 charges for 7 days of horrible net.
After purchasing access, the AT&T server basically records your MAC address and allows it for access for the next X amount of time you purchased it.
The obvious solution is to use a program like Virtual Router and create a local hotspot with the machine that was purchased access as host. But for some odd reason, mine didn’t work!